Set HTTP method restriction on WebAPI actions

2025-01-07 03:16:40 +08:00 · 2022-08-06 15:54:07 +08:00 · 2022-08-06 15:54:07 +08:00 · 99b5983143
commit 99b5983143
parent c1e8849b40
2 changed files with 30 additions and 0 deletions
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@ -276,6 +276,20 @@ void WebApplication::doProcessRequest()
    if (!session() && !isPublicAPI(scope, action))
        throw ForbiddenHTTPError();

+    // Filter HTTP methods
+    const auto allowedMethodIter = m_allowedMethod.find({scope, action});
+    if (allowedMethodIter == m_allowedMethod.end())
+    {
+        // by default allow both GET, POST methods
+        if ((m_request.method != Http::METHOD_GET) && (m_request.method != Http::METHOD_POST))
+            throw MethodNotAllowedHTTPError();
+    }
+    else
+    {
+        if (*allowedMethodIter != m_request.method)
+            throw MethodNotAllowedHTTPError();
+    }
+
    DataMap data;
    for (const Http::UploadedFile &torrent : request().files)
        data[torrent.filename] = torrent.data;
--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@ -28,6 +28,8 @@

 #pragma once

+#include <utility>
+
 #include <QDateTime>
 #include <QElapsedTimer>
 #include <QHash>
@ -130,6 +132,20 @@ private:

    QHash<QString, APIController *> m_apiControllers;
    QSet<QString> m_publicAPIs;
+    const QHash<std::pair<QString, QString>, QString> m_allowedMethod =
+    {
+        // <<controller name, action name>, HTTP method>
+        // TODO: this list is incomplete
+        {{QLatin1String("app"), QLatin1String("setPreferences")}, Http::METHOD_POST},
+        {{QLatin1String("app"), QLatin1String("shutdown")}, Http::METHOD_POST},
+        {{QLatin1String("auth"), QLatin1String("login")}, Http::METHOD_POST},
+        {{QLatin1String("auth"), QLatin1String("logout")}, Http::METHOD_POST},
+        {{QLatin1String("rss"), QLatin1String("addFeed")}, Http::METHOD_POST},
+        {{QLatin1String("search"), QLatin1String("installPlugin")}, Http::METHOD_POST},
+        {{QLatin1String("torrents"), QLatin1String("add")}, Http::METHOD_POST},
+        {{QLatin1String("torrents"), QLatin1String("addPeers")}, Http::METHOD_POST},
+        {{QLatin1String("torrents"), QLatin1String("addTrackers")}, Http::METHOD_POST}
+    };
    bool m_isAltUIUsed = false;
    QString m_rootFolder;